Namhlanje ndifuna ukwabelana ngendlela yokuseta iseva yokuqinisekiswa kwezinto ezimbini ukukhusela inethiwekhi yenkampani, iisayithi, iinkonzo, i-ssh. Umncedisi uya kuqhuba le ndibaniselwano ilandelayo: LinOTP + FreeRadius.
Kutheni siyidinga nje?
Esi sisisombululo sasimahla, esifanelekileyo, ngaphakathi kwenethiwekhi yayo, esizimeleyo kubaboneleli beqela lesithathu.
Le nkonzo iluncedo kakhulu, ibonwa kakhulu, ngokungafaniyo nezinye iimveliso zomthombo ovulekileyo, kwaye ikwaxhasa inani elikhulu lemisebenzi kunye nemigaqo-nkqubo (Umzekelo, igama lokungena+igama lokugqitha+(PIN+OTPToken)). Nge-API, idibanisa kunye neenkonzo zokuthumela i-sms (i-LinOTP Config-> Umnikezeli we-Config->Umboneleli we-SMS), ivelisa iikhowudi zezicelo zeselula ezifana ne-Google Authentificator kunye nokunye okuninzi. Ndicinga ukuba kulula ngakumbi kunenkonzo ekuxoxwe ngayo .
Lo mncedisi usebenza ngokugqibeleleyo kunye neCisco ASA, iseva ye-OpenVPN, i-Apache2, kwaye ngokubanzi malunga nayo yonke into exhasa ukuqinisekiswa nge-RADIUS iseva (Umzekelo, kwi-SSH kwiziko ledatha).
Iyafuneka:
1) IDebian 8 (jessie) - Ngokuyimfuneko! (ufakelo lwesilingo kwi-debian 9 ichazwe ekupheleni kwenqaku)
Qalisa:
Ifakela iDebian 8.
Yongeza indawo yokugcina ye-LinOTP:
# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.listUkongeza izitshixo:
# gpg --search-keys 913DFF12F86258E5Ngamanye amaxesha ngexesha lofakelo "ococekileyo", emva kokuqhuba lo myalelo, iDebian ibonisa:
gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI
Olu luseto lokuqala lwe-gnupg. Kulungile. Qhuba nje umyalelo kwakhona.
Kumbuzo kaDebian:
gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1) LSE LinOTP2 Packaging <[email protected]>
2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5". Введите числа, N) Следующий или Q) Выход>Siphendula: 1
Okulandelayo:
# gpg --export 913DFF12F86258E5 | apt-key add -# apt-get updateFaka i-mysql. Kwithiyori, ungasebenzisa enye iseva ye-sql, kodwa ngokulula ndiya kuyisebenzisa njengoko kunconyelwe kwiLinOTP.
(ulwazi olongezelelweyo, kuqukwa uhlengahlengiso lwesiseko sedatha seLinOTP, lunokufumaneka kuxwebhu olusemthethweni lwe . Apho ungafumana umyalelo: dpkg-reconfigure linotp ukutshintsha iparameters ukuba sele uyifakile mysql).
# apt-get install mysql-server# apt-get update (akuzukuba buhlungu ukujonga uhlaziyo kwakhona)
Faka i-LinOTP kunye neemodyuli ezongezelelweyo:
# apt-get install linotp
Siphendula imibuzo yomfakeli:
Sebenzisa iApache2: ewe
Yenza igama lokugqitha le-admin Linopt: "Igama lakho lokugqithisa"
Ukuvelisa isatifikethi esizisayinileyo?: ewe
Sebenzisa i-MySQL?: ewe
Ibekwe phi idatabase: localhost
Yenza i-database ye-LinOTP (igama lesiseko) kumncedisi: LinOTP2
Yenza umsebenzisi owahlukileyo wesiseko sedatha: LinOTP2
Siseta igama eligqithisiweyo lomsebenzisi: "Iphasiwedi yakho"
Ngaba kufuneka ndenze idatabase ngoku? (into efana "Ngaba uqinisekile ukuba ufuna ..."): ewe
Faka igama eligqithisiweyo lengcambu yeMySQL oyenzileyo xa uyifaka: "Igama lakho lokugqitha"
Yenziwe.
(ukhetho, akufuneki uyifake)
# apt-get install linotp-adminclient-cli (ukhetho, akufuneki uyifake)
# apt-get install libpam-linotp Kwaye ke ujongano lwethu lwewebhu yeLinopt ngoku luyafumaneka:
"<b>https</b>: //IP_сервера/manage"Ndiza kuthetha malunga noseto kujongano lwewebhu kamva kancinane.
Ngoku, eyona nto ibalulekileyo! Siphakamisa iFreeRadius kwaye siyidibanise neLinopt.
Faka iFreeRadius kunye nemodyuli yokusebenza neLinOTP
# apt-get install freeradius linotp-freeradius-perlugcino lomxhasi kunye nabasebenzisi ubumbeko lwerediyasi.
# mv /etc/freeradius/clients.conf /etc/freeradius/clients.old# mv /etc/freeradius/users /etc/freeradius/users.oldYenza ifayile yomxhasi engenanto:
# touch /etc/freeradius/clients.confUkuhlela ifayile yethu entsha yoqwalaselo (uqwalaselo oluxhasiweyo lunokusetyenziswa njengomzekelo)
# nano /etc/freeradius/clients.confclient 192.168.188.0/24 {
secret = passwd # пароль для подключения клиентов
}Okulandelayo, yenza ifayile yabasebenzisi:
# touch /etc/freeradius/usersSihlela ifayile, sixela iradiyasi ukuba siya kusebenzisa i-perl ukuqinisekiswa.
# nano /etc/freeradius/usersDEFAULT Auth-type := perlEmva koko, hlela ifayile /etc/freeradius/modules/perl
# nano /etc/freeradius/modules/perlKufuneka sikhankanye umendo weskripthi se-perl linotp kwiparamitha yemodyuli:
Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm
... ..
Emva koko, senza ifayile apho sithi (i-domain, i-database okanye ifayile) ukuthatha idatha kuyo.
# touch /etc/linotp2/rlm_perl.ini# nano /etc/linotp2/rlm_perl.iniURL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=FalseNdiza kungena kwiinkcukacha ngakumbi apha kuba ibalulekile:
Inkcazo epheleleyo yefayile enezimvo:
#IP yeseva ye-linOTP (idilesi ye-IP yomncedisi wethu we-LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Indawo yethu esiya kuyidala kujongano lwewebhu ye-LinOTP.)
UMBONO=ingalo1
#Igama leqela labasebenzisi elenziwe kumlomo wewebhu we-LinOTP.
RECONF=ifayile_esicaba
#ukhetho: phawula ukuba yonke into ibonakala isebenza kakuhle
Debug=Yinyani
#ukhetho: sebenzisa oku, ukuba unezatifikethi ozityikityileyo, kungenjalo phawula (i-SSL ukuba senza esethu isatifikethi kwaye sifuna ukusiqinisekisa)
SSL_CHECK=Bubuxoki
Emva koko, yenza ifayile /etc/freeradius/sites-available/linop
# touch /etc/freeradius/sites-available/linotp# nano /etc/freeradius/sites-available/linotpKwaye khuphela uqwalaselo kuyo (akukho mfuneko yokuhlela nantoni na):
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}Okulandelayo siza kwenza ikhonkco leSIM:
# ln -s ../sites-available/linotp /etc/freeradius/sites-enabledNgokwam, ndibulala iisayithi zeRadius ezingagqibekanga, kodwa ukuba uyazifuna, ungahlela uqwalaselo lwazo okanye uzikhubaze.
# rm /etc/freeradius/sites-enabled/default# rm /etc/freeradius/sites-enabled/inner-tunnel# service freeradius reload
Ngoku makhe sibuyele kubuso bewebhu kwaye siyijonge ngeenkcukacha ezincinci:
Kwikona ephezulu ngasekunene cofa iLinOTP Config -> UserIdResolvers -> Entsha
Sikhetha into esiyifunayo: LDAP (AD win, LDAP samba), okanye SQL, okanye abasebenzisi basekuhlaleni beFlatfile system.
Gcwalisa iindawo ezifunekayo.
Okulandelayo senza i-REALMS:
Kwikona ephezulu ngasekunene, cofa iLinOTP Config -> Realms -> New.
kwaye unike igama kwi-REALMS yethu, kwaye ucofe kwakhona kwi-UserIdResolvers eyenziwe ngaphambili.
I-FreeRadius idinga yonke le datha kwifayile /etc/linopt2/rlm_perl.ini, njengoko ndibhale ngasentla, ngoko ke ukuba awuzange uyihlele ngoko, yenza ngoku.
Umncedisi uqwalaselwe yonke.
Ukongezwa:
Ukuseta i-LinOTP kwi-Debian 9:
Ufakelo:
# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list # apt-get install dirmngr# apt-key adv --recv-keys 913DFF12F86258E5
# apt-get update# apt-get install mysql-server(ngokungagqibekanga, kwiDebian 9 mysql (mariaDB) ayinikezeli ukuseta igama eligqithisiweyo lengcambu, ngokuqinisekileyo ungayishiya ingenanto, kodwa ukuba ufunda iindaba, oku kuhlala kukhokelela “ku-epic kusilela”, ngoko ke siya kuyibeka. kunjalo)
# mysql -u root -puse mysql;UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';
exit# apt-get install linotp# apt-get install linotp-adminclient-cli# apt-get install python-ldap# apt install freeradius# nano /etc/freeradius/3.0/sites-enabled/linotpNcamathisela ikhowudi (ithunyelwe nguJuriM, enkosi ngaloo nto!):
iseva linotp {
mamela {
ipaddr = *
izibuko = 1812
uhlobo=incwadi
}
mamela {
ipaddr = *
izibuko = 1813
uhlobo = acct
}
gunyazisa {
inkqubo yangaphambili
hlaziya {
&control:Auth-Type := Perl
}
}
qinisekisa {
Auth-Type Perl {
perl
}
}
ubalo-mali {
Unix
}
}
Hlela /etc/freeradius/3.0/mods-enabled/perl
perl {
igama lefayile = /usr/share/linopp/radius_linopp.pm
func_authenticate = qinisekisa
func_authorize = gunyazisa
}
Ngelishwa, kwi-Debian 9 ilayibrari yeradius_linopp.pm ayifakwanga ukusuka kwindawo yokugcina, ngoko ke siyakuyithatha kwi-github.
# apt install git# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl# cd linotp-auth-freeradius-perl/# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pmngoku makhe sihlele /etc/freeradius/3.0/clients.conf
abancedisi babaxhasi {
ipaddr = 192.168.188.0/24
imfihlo = igama eliyimfihlo
}
Ngoku makhe silungise nano /etc/linopt2/rlm_perl.ini
Sincamathela ikhowudi efanayo naxa ufaka i-debian 8 (echazwe ngasentla)
konke oko ngokombono. (ayikavavanywa okwangoku)
Ndiza kushiya ngezantsi amakhonkco ambalwa ekusetheni iinkqubo ezihlala zifuna ukukhuselwa ngezinto ezimbini zokuqinisekisa:
Ukuseta ungqinisiso lwezinto ezimbini ngaphakathi
(umncedisi wokuvelisa umqondiso owahlukileyo usetyenziswa apho, kodwa izicwangciso ze-ASA ngokwayo ziyafana).
Yenza ngokwezifiso (I-LinOTP iphinda isetyenziswe apho) - siyabonga kumbhali. Apho unokufumana izinto ezinomdla malunga nokuseta imigaqo-nkqubo ye-LiOTP.
Kwakhona, ii-cms zeesayithi ezininzi zixhasa ukuqinisekiswa kwezinto ezimbini (kwi-WordPress, i-LinOTP ide ibe nemodyuli yayo ekhethekileyo ), umzekelo, ukuba ufuna ukwenza icandelo elikhuselweyo kwiwebhusayithi yakho yenkampani kubasebenzi benkampani.
INYANISO EBALULEKILEYO! UNGAYI kukhangela ibhokisi ethi “Google autenteficator” ukuze usebenzise iGoogle Authenticator! Ikhowudi ye-QR ayifundeki ngoko ... (inyani engaqhelekanga)
Ukubhala eli nqaku, ulwazi oluphuma kula manqaku alandelayo lusetyenzisiwe:
Enkosi kubabhali.
umthombo: www.habr.com